[development] Making #access required on forms

Darrel O'Pry darrel.opry at gmail.com
Fri Oct 24 16:19:13 UTC 2008

On Fri, Oct 24, 2008 at 12:00 PM, Angela Byron <drupal-devel at webchick.net>wrote:

> Gerhard brought this up on the security team list, but it seems like it's
> worth broader discussion:
> ---
> Hi there,
> as more an more people use Drupal to provide non-traditional Webpages
> (e.g. providing services using Ajax, Flex, ...) our traditional access
> permission checks in hook_menu are less than ideal.
> For example, you can use drupal_execute to conveniently create content
> or anything else. However, no check for access permissions is done since
> this only happens in the menu hook for node/add/whatever.
> I therefore propose to push for D7 that the #access parameter on forms
> be made mandatory.
> Opinions?
> ---
> My initial thought on the downside is that this has implications for people
> who are using drupal_execute() to perform programmatic tasks
> (node/block/etc. creation, etc.); they would no longer work unless the
> script switched to user with the proper credentials (so we should probably
> get a nice user switching API function in core). It is also something in the
> upgrade steps that, if missed, will cause forms to completely disappear
> which is bound to result in support requests.
> On the other hand, it would provide extra security and would be akin to the
> way we force menu callbacks to provide an access control or they don't
> appear for anyone. It might also help us clean up some nasty places in core
> (node form, I am looking at you) where we have if (user_access(...))
> hard-coded.
> So, I echo: opinions? :)
> -Angie

I don't think that it should be a requirement or forced on developers. I do
think it should be recommended. The processing, submission, and validation
logic will have to be updated per form, especially if #access is used at the
element level. #access is there and has been there. If someone has a good
idea of  a way to use it more effectively, document it and promote the
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20081024/fb891cd1/attachment-0001.htm 

More information about the development mailing list